Re: Security considerations for DNS rebinding from Tim on 2010-02-09 (ietf-http-wg@w3.org from January to March 2010)

From: Tim <tim-projects@sentinelchicken.org>
Date: Tue, 9 Feb 2010 06:23:15 -0800
To: Maciej Stachowiak <mjs@apple.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20100209142315.GA11021@sentinelchicken.org>

Hi Maciej,

> The DNS Spoofing security considerations subsection has a
> requirement that actually increases the risk of DNS rebinding attacks.
> It says that "If HTTP clients cache the results of host name lookups
> in order to achieve a performance improvement, they must observe the
> TTL information reported by DNS". Clients that follow this advice will
> be at greater risk than if they give cached DNS lookup results a floor
> on time-to-live, or keep a DNS resolution result "pinned" so long as
> any resource from that domain is active. Those are the simplest
> client-side mitigation strategies for DNS rebinding attacks. If DNS
> lookups are cached in the browser for a minimum of, say, an hour,
> there is much less risk of a DNS rebinding attack, because the
> attacker must get the user to keep a page open for at least an hour to
> be able to perform the rebinding attack.

While I'm not an expert on DNS rebinding, I'm afraid I don't agree
that DNS pinning helps prevent rebinding attacks.

To bypass DNS pinning, it has been shown that the attacker can close
their own server's HTTP port (return a RST to all future packets).  At
this point, browsers current go out and get the new IP address from
the DNS and initiate a new connection.  When you think about it, what
else can a user agent do?  It has no way of knowing if the DNS record
legitimately expired, so the only alternative is to simply prevent
users from accessing the web site for an hour (or whatever time limit
you propose).

The negative side of your proposal is, of course, the fact that plenty
of legitimate sites utilize small TTLs where the IPs actually change.
Some possible examples: dynamic DNS based sites, high availability
hosting sites designed to mitigate denial of service attacks, and just
legitimate sites in transition between different server IP addresses.


> DNS rebinding can also be defended against with complete
> effectiveness if servers always check the Host header. A server
> attacked via DNS rebinding will get an unexpected value in the Host
> header - the attackers hostname instead of any of its own.

I think it certainly would be worth discussing DNS rebinding in any
revisions, even if I don't agree with your first suggestion.  Host
header checking is something to look into.

Regards,
tim

Received on Tuesday, 9 February 2010 14:15:00 UTC